Question
WordPress One-Click Install Improvements & Optimization Tips?
- Posted on September 7, 2022
- OpenLiteSpeed WordPress 1-ClickApacheUbuntu 20.04Configuration ManagementPHPWordPress
Asked by twc8ac35a8636
Hi everyone,
I would like to ask some questions about the WordPress One-Click Install on DigitalOcean. The website I am moving to this droplet gets around 800 daily users so I want to make sure it can handle the load and be secure.
Out the box is the default security enough or should more need to be done?
Why does does it install Ubuntu 20.04.5 LTS and not Ubuntu 22.04.1 LTS? Should I upgrade to Ubuntu 22.04.1 LTS? Are there benefits? Speed? Security?
Should any additional Fail2Ban filters be enabled? Currently only have the defaults are enabled -
# fail2ban-client status
Status
|- Number of jail: 3
`- Jail list: sshd, wordpress-hard, wordpress-soft
Fail2Ban has 90 filters available so shouldn’t more be used? For example is it recommended to enable this filter php-url-fopen.conf or any others?
Would you recommend renaming the WordPress admin login wp-login.php? This would make the wordpress-hard and wordpress-soft filters redundant?
I understand the less Fail2Ban filters enabled the less resource intense it will be. I would like to find a good balance but lean more towards security over performance.
On the WordPress Fail2Ban settings page it says -
Note: The Free version of WP fail2ban is configured by defining constants in wp-config.php
When I look in wp-config.php I don’t see any F2B constants added? Should they be? Should I add some?
The WP Fail2Ban docs says -
You should consider enabling Comment: Spam and Attempted Comment: Closed post, and, if you don’t use WordPress’s commenting system at all, you should enable all the Attempted Comment Events. source: https://docs.wp-fail2ban.com/en/5.0/configuration/logging.html
I haven’t got comments enabled on this website so should I add the following to wp-config.php -
include __DIR__.'/wp-content/plugins/wp-fail2ban/lib/constants.php';
/**
* Log comments on 'Closed' and 'Draft' posts
*/
define('WP_FAIL2BAN_LOG_COMMENTS_EXTRA', WPF2B_EVENT_COMMENT_NOT_FOUND | WPF2B_EVENT_COMMENT_TRASH | WPF2B_EVENT_COMMENT_CLOSED | WPF2B_EVENT_COMMENT_DRAFT | WPF2B_EVENT_COMMENT_PASSWORD);
Also I noticed when I log into the droplet SSH I get this message -
- The must-use WordPress security plugin, fail2ban, is located at /var/www/html/wp-content/mu-plugins/fail2ban.php
I don’t have a /mu-plugins/ folder just /plugins/.
Is the WordFence plugin overkill?
Would I be right in thinking mod_security isn’t needed because UFW is enabled?
Should any of the UFW settings be adjusted or out the box is sufficient?
When it comes to file permissions I followed part of this guide so WordPress can automatically update via www-data - https://devanswers.co/configure-sftp-web-server-document-root/
I’ve added this to wp-config.php so WordPress can auto update without needing to do it via FTP -
define('FS_METHOD','direct');
define('WP_AUTO_UPDATE_CORE', true);
I’ve added these security headers to /etc/apache2/apache2.conf -
# Add Security Headers
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header always set Referrer-Policy "same-origin"
Header always set X-Frame-Options "DENY"
Header set X-Permitted-Cross-Domain-Policies "none"
Header always set Feature-Policy "geolocation 'none'; midi 'none; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none';"
</IfModule>
Will the website cope with this traffic or should the Apache Workers be increased? If yes where are these settings located? On my other droplet they are here /etc/apache2/mods-available/http2.conf but on this new droplet I can’t find them. Is it because this droplet is shared? I plan to resize to this dedicated droplet CPU-Optimized Dedicated CPU 2 vCPUs 4 GB 25 GB 4 TB $42/mo the current droplet is shared 1 GB Memory / 1 Intel vCPU / 25 GB Disk.
These are the Apache Worker settings on the other dedicated droplet -
ServerLimit 1200
MaxClients 1200
MaxRequestsPerChild 8000
I was thinking about trying the OpenLiteSpeed WordPress 1-Click as it supposed to be 300+ faster. Does this help get a higher score on Google Page Speed?
If anyone can recommend any improvements I would really appreciate any the advice.
Thank you for taking time to read my post!
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.
Hi @twc8ac35a8636,
The Droplet itself should be secured enough. To make sure it keeps that way, you’ll need to at least once a week do updates:
Why does does it install Ubuntu 20.04.5 LTS and not Ubuntu 22.04.1 LTS? Should I upgrade to Ubuntu 22.04.1 LTS? Are there benefits? Speed? Security?The image itself seems to haven’t been updated to the 22.04 Ubuntu release. At this point, it’s fine staying with 20.04 but you’ll need to at some point upgrade to 22.04 so it might be better now rather than later. As for benefits, it’s always better to go to the next release, what comes to mind for me is the Kernel as on 22.04 it’s newer but there are a lot more improvements which you can read about.
Should any additional Fail2Ban filters be enabled? Currently only have the defaults are enabled -I’m personally not a fan of Fail2Ban when it’s not configured by someone with a lot of experience with it. Fail2Ban can start banning legitimate requests if not configured properly so it’s always better to be careful around it. Additionally, it can cause a load on your system so really be careful.
What you already have should be sufficient for now.
Would you recommend renaming the WordPress admin login wp-login.php? This would make the wordpress-hard and wordpress-soft filters redundant?Yes and no, it’s good to rename it with a plugin just so that it’s not so easily discoverable however most exploits do not come from wp-login but from outdated software.
` Is the WordFence plugin overkill?
Would I be right in thinking mod_security isn’t needed because UFW is enabled? `
WordFence won’t be overkill. Mod_security on the other hand with fail2ban wordfence and so on would be.
Be careful not to add to much firewalls and Security stuff as at some point when something breaks you won’t be able to figure out from where and why.
When it comes to file permissions I followed part of this guide so WordPress can automatically update via www-data - https://devanswers.co/configure-sftp-web-server-document-root/That’s fine.
Regarding the Apache workers, if you can’t find them they are set to the default values. You can increase them by adding them to Apache’s main config file but Don’t increase them too much as it might come heavy for you Droplet.
Regarding other improvements, what I can recommend is to change your Apache MPM module from prefork to event and install php-fpm. It will greatly increase your experience.
Hello there,
I will personally recommend making sure that a SWAP space is added on the droplet and that the MySQL database is optimized and there is caching (either a cache plugin or server-level caching like redis)
https://www.digitalocean.com/community/tutorials/how-to-add-swap-space-on-ubuntu-20-04
If the database is huge in size or generally busy with requests you can use the MySQL tuner script to optimize the database performance
https://www.digitalocean.com/community/questions/how-to-tweak-mysql-mariadb-configuration-for-increased-performance-and-stability
We have a tutorial on how to optimize WordPress on Ubuntu 20.04 which you can check here
https://www.digitalocean.com/community/tutorials/how-to-optimize-wordpress-on-ubuntu-20-04
Another really useful article
https://www.digitalocean.com/community/tutorials/how-to-optimize-a-wordpress-installation-before-troubleshooting
Hope that this helps!